Client sends ClientID, secret, redirect URI and code challenge --> Authorization Server --> Auth Server sends back Auth Code --> Client --> Sends the previously generated code challenge (string) --> Auth Server --> Auth Server checks if the code challenge is same as the one that was sent earlier when it generated that particular Auth Code. --> Auth Server Sends back Access token.
How does this secure the client application? I mean that if someone can steal the ClientID and secret then it can also generate a random string and send all three to the Authorization server to generate Auth Code and then make another request to get the access token. Eventually the token would expire and then the person could repeat the process since it has the ClientID and Secret. It is just a matter of generating that random code challenge again.
I understand that Hacker App can not use the stolen AuthCode to get Access Token because of PKCE but – why can’t Hacker app use the clientID of your app and generate a code verifier then ask Authorization Server for a Auth Code and then again for Access Code?
Is it impossible to steal ClientID?
When Authorization sever sends back the AuthCode to the client. Is that the only point which is vulnerable?
I have been through this post but I am still not clear on this.